02-19-2020 04:15 AM
Hi,
We've noticed a weird behavior in our ISE deployment integrated with ASA for AnyConnect authorization.
AnyConnect users have posture configured so every time they connect they match first the "posture unknown" authorization profile while AnyConnect runs the system scan. We observe this normal behavior in the Radius live logs.
Once the client is compliant, the status changes to "Compliant" in the "Posture Status" column, BUT the "authorization profile" column is not updated with the valid rule that matches the compliant status. However, the dACL sent to ASA and actually applied is the correct one based on the user profile.
ISE performs just authorization, not authentication which is validated by the ASA using certificates.
Summarizing: ISE sees the user as compliant, internally matches the authorization profile for a compliant user, but the Radius logs are not updated accordingly and we see all the users with the status "unknown".
Any ideas?
Thanks.
Solved! Go to Solution.
02-19-2020 12:51 PM
The behaviour you're seeing could be related to this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf59076
02-19-2020 12:51 PM
The behaviour you're seeing could be related to this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf59076
02-19-2020 11:30 PM
Thanks.
The bug description completely matches my scenario indeed. Time to patch!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide